Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Set an authorizer when running the ticket-table SQL. Ticket [56b82836ffba9952]. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | sec2020 |
| Files: | files | file ages | folders |
| SHA3-256: |
fb41384045cb639141f00bd4756a0325 |
| User & Date: | drh 2020-08-17 14:09:04.107 |
Context
|
2020-08-19
| ||
| 01:07 | Cherrypick key fixes from the sec2020 branch in order to devise a minimal patch to get us to version 2.12.1. check-in: fe1264d35d user: drh tags: sec2020-2.12-patch | |
|
2020-08-17
| ||
| 17:34 | The allow-symlinks setting is no longer versionable and is off by default. The allow-symlinks setting no longer propagates with a clone. The help text for allow-symlinks discourages its use. There is a new --symlink flag on "fossil open" to permit the use of symlinks on an open, for the adventurous. Ticket [f9831fdef1d4edcc]. check-in: ff98dd5af6 user: drh tags: sec2020 | |
| 15:11 | Identify security-sensitive settings. Closed-Leaf check-in: aa4c3afc52 user: drh tags: sec2020-config-protection | |
| 14:09 | Set an authorizer when running the ticket-table SQL. Ticket [56b82836ffba9952]. check-in: fb41384045 user: drh tags: sec2020 | |
| 09:16 | Prohibit redirects from HTTP or HTTPS over to SSH or FILE. Fix for ticket [61613b0a9cf843b6]. check-in: 253dbd15e2 user: drh tags: sec2020 | |
Changes
Changes to src/db.c.
| ︙ | ︙ | |||
128 129 130 131 132 133 134 135 136 137 138 139 140 141 |
} aHook[5];
char *azDeleteOnFail[3]; /* Files to delete on a failure */
char *azBeforeCommit[5]; /* Commands to run prior to COMMIT */
int nBeforeCommit; /* Number of entries in azBeforeCommit */
int nPriorChanges; /* sqlite3_total_changes() at transaction start */
const char *zStartFile; /* File in which transaction was started */
int iStartLine; /* Line of zStartFile where transaction started */
} db = {0, 0, 0, 0, 0, 0, };
/*
** Arrange for the given file to be deleted on a failure.
*/
void db_delete_on_failure(const char *zFilename){
assert( db.nDeleteOnFail<count(db.azDeleteOnFail) );
| > > > | 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 |
} aHook[5];
char *azDeleteOnFail[3]; /* Files to delete on a failure */
char *azBeforeCommit[5]; /* Commands to run prior to COMMIT */
int nBeforeCommit; /* Number of entries in azBeforeCommit */
int nPriorChanges; /* sqlite3_total_changes() at transaction start */
const char *zStartFile; /* File in which transaction was started */
int iStartLine; /* Line of zStartFile where transaction started */
int (*xAuth)(void*,int,const char*,const char*,const char*,const char*);
void *pAuthArg; /* Argument to the authorizer */
const char *zAuthName; /* Name of the authorizer */
} db = {0, 0, 0, 0, 0, 0, };
/*
** Arrange for the given file to be deleted on a failure.
*/
void db_delete_on_failure(const char *zFilename){
assert( db.nDeleteOnFail<count(db.azDeleteOnFail) );
|
| ︙ | ︙ | |||
314 315 316 317 318 319 320 321 322 323 324 325 326 327 |
db.aHook[i].xHook = xS;
}
}
db.aHook[db.nCommitHook].sequence = sequence;
db.aHook[db.nCommitHook].xHook = x;
db.nCommitHook++;
}
#if INTERFACE
/*
** Possible flags to db_vprepare
*/
#define DB_PREPARE_IGNORE_ERROR 0x001 /* Suppress errors */
#define DB_PREPARE_PERSISTENT 0x002 /* Stmt will stick around for a while */
| > > > > > > > > > > > > > > > > > > > > > > > > > > | 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 |
db.aHook[i].xHook = xS;
}
}
db.aHook[db.nCommitHook].sequence = sequence;
db.aHook[db.nCommitHook].xHook = x;
db.nCommitHook++;
}
/*
** Set or unset the query authorizer callback function
*/
void db_set_authorizer(
int(*xAuth)(void*,int,const char*,const char*,const char*,const char*),
void *pArg,
const char *zName /* for tracing */
){
if( db.xAuth ){
fossil_panic("multiple active db_set_authorizer() calls");
}
if( g.db ) sqlite3_set_authorizer(g.db, xAuth, pArg);
db.xAuth = xAuth;
db.pAuthArg = pArg;
db.zAuthName = zName;
if( g.fSqlTrace ) fossil_trace("-- set authorizer %s\n", zName);
}
void db_clear_authorizer(void){
if( db.zAuthName && g.fSqlTrace ){
fossil_trace("-- discontinue authorizer %s\n", db.zAuthName);
}
if( g.db ) sqlite3_set_authorizer(g.db, 0, 0);
db.xAuth = 0;
db.pAuthArg = 0;
}
#if INTERFACE
/*
** Possible flags to db_vprepare
*/
#define DB_PREPARE_IGNORE_ERROR 0x001 /* Suppress errors */
#define DB_PREPARE_PERSISTENT 0x002 /* Stmt will stick around for a while */
|
| ︙ | ︙ | |||
842 843 844 845 846 847 848 |
** database.
*/
void db_init_database(
const char *zFileName, /* Name of database file to create */
const char *zSchema, /* First part of schema */
... /* Additional SQL to run. Terminate with NULL. */
){
| | | | > > > | | | | | | | | 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 |
** database.
*/
void db_init_database(
const char *zFileName, /* Name of database file to create */
const char *zSchema, /* First part of schema */
... /* Additional SQL to run. Terminate with NULL. */
){
sqlite3 *xdb;
int rc;
const char *zSql;
va_list ap;
xdb = db_open(zFileName ? zFileName : ":memory:");
sqlite3_exec(xdb, "BEGIN EXCLUSIVE", 0, 0, 0);
if( db.xAuth ){
sqlite3_set_authorizer(xdb, db.xAuth, db.pAuthArg);
}
rc = sqlite3_exec(xdb, zSchema, 0, 0, 0);
if( rc!=SQLITE_OK ){
db_err("%s", sqlite3_errmsg(xdb));
}
va_start(ap, zSchema);
while( (zSql = va_arg(ap, const char*))!=0 ){
rc = sqlite3_exec(xdb, zSql, 0, 0, 0);
if( rc!=SQLITE_OK ){
db_err("%s", sqlite3_errmsg(xdb));
}
}
va_end(ap);
sqlite3_exec(xdb, "COMMIT", 0, 0, 0);
if( zFileName || g.db!=0 ){
sqlite3_close(xdb);
}else{
g.db = xdb;
}
}
/*
** Function to return the number of seconds since 1970. This is
** the same as strftime('%s','now') but is more compact.
*/
|
| ︙ | ︙ | |||
2087 2088 2089 2090 2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 |
**
** Check for unfinalized statements and report errors if the reportErrors
** argument is true. Ignore unfinalized statements when false.
*/
void db_close(int reportErrors){
sqlite3_stmt *pStmt;
if( g.db==0 ) return;
if( g.fSqlStats ){
int cur, hiwtr;
sqlite3_db_status(g.db, SQLITE_DBSTATUS_LOOKASIDE_USED, &cur, &hiwtr, 0);
fprintf(stderr, "-- LOOKASIDE_USED %10d %10d\n", cur, hiwtr);
sqlite3_db_status(g.db, SQLITE_DBSTATUS_LOOKASIDE_HIT, &cur, &hiwtr, 0);
fprintf(stderr, "-- LOOKASIDE_HIT %10d\n", hiwtr);
sqlite3_db_status(g.db, SQLITE_DBSTATUS_LOOKASIDE_MISS_SIZE, &cur,&hiwtr,0);
| > | 2119 2120 2121 2122 2123 2124 2125 2126 2127 2128 2129 2130 2131 2132 2133 |
**
** Check for unfinalized statements and report errors if the reportErrors
** argument is true. Ignore unfinalized statements when false.
*/
void db_close(int reportErrors){
sqlite3_stmt *pStmt;
if( g.db==0 ) return;
sqlite3_set_authorizer(g.db, 0, 0);
if( g.fSqlStats ){
int cur, hiwtr;
sqlite3_db_status(g.db, SQLITE_DBSTATUS_LOOKASIDE_USED, &cur, &hiwtr, 0);
fprintf(stderr, "-- LOOKASIDE_USED %10d %10d\n", cur, hiwtr);
sqlite3_db_status(g.db, SQLITE_DBSTATUS_LOOKASIDE_HIT, &cur, &hiwtr, 0);
fprintf(stderr, "-- LOOKASIDE_HIT %10d\n", hiwtr);
sqlite3_db_status(g.db, SQLITE_DBSTATUS_LOOKASIDE_MISS_SIZE, &cur,&hiwtr,0);
|
| ︙ | ︙ | |||
2116 2117 2118 2119 2120 2121 2122 |
sqlite3_status(SQLITE_STATUS_PAGECACHE_OVERFLOW, &cur, &hiwtr, 0);
fprintf(stderr, "-- PCACHE_OVFLOW %10d %10d\n", cur, hiwtr);
fprintf(stderr, "-- prepared statements %10d\n", db.nPrepare);
}
while( db.pAllStmt ){
db_finalize(db.pAllStmt);
}
| | > | | > > | | 2149 2150 2151 2152 2153 2154 2155 2156 2157 2158 2159 2160 2161 2162 2163 2164 2165 2166 2167 2168 2169 2170 2171 2172 |
sqlite3_status(SQLITE_STATUS_PAGECACHE_OVERFLOW, &cur, &hiwtr, 0);
fprintf(stderr, "-- PCACHE_OVFLOW %10d %10d\n", cur, hiwtr);
fprintf(stderr, "-- prepared statements %10d\n", db.nPrepare);
}
while( db.pAllStmt ){
db_finalize(db.pAllStmt);
}
if( db.nBegin ){
if( reportErrors ){
fossil_warning("Transaction started at %s:%d never commits",
db.zStartFile, db.iStartLine);
}
db_end_transaction(1);
}
pStmt = 0;
sqlite3_busy_timeout(g.db, 0);
g.dbIgnoreErrors++; /* Stop "database locked" warnings */
sqlite3_exec(g.db, "PRAGMA optimize", 0, 0, 0);
g.dbIgnoreErrors--;
db_close_config();
/* If the localdb has a lot of unused free space,
** then VACUUM it as we shut down.
*/
|
| ︙ | ︙ | |||
2166 2167 2168 2169 2170 2171 2172 2173 2174 2175 2176 2177 2178 2179 |
*/
void db_panic_close(void){
if( g.db ){
int rc;
sqlite3_wal_checkpoint(g.db, 0);
rc = sqlite3_close(g.db);
if( g.fSqlTrace ) fossil_trace("-- sqlite3_close(%d)\n", rc);
}
g.db = 0;
g.repositoryOpen = 0;
g.localOpen = 0;
}
/*
| > | 2202 2203 2204 2205 2206 2207 2208 2209 2210 2211 2212 2213 2214 2215 2216 |
*/
void db_panic_close(void){
if( g.db ){
int rc;
sqlite3_wal_checkpoint(g.db, 0);
rc = sqlite3_close(g.db);
if( g.fSqlTrace ) fossil_trace("-- sqlite3_close(%d)\n", rc);
db_clear_authorizer();
}
g.db = 0;
g.repositoryOpen = 0;
g.localOpen = 0;
}
/*
|
| ︙ | ︙ |
Changes to src/report.c.
| ︙ | ︙ | |||
228 229 230 231 232 233 234 |
return rc;
}
/*
** Activate the query authorizer
*/
void report_restrict_sql(char **pzErr){
| | | | 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 |
return rc;
}
/*
** Activate the query authorizer
*/
void report_restrict_sql(char **pzErr){
db_set_authorizer(report_query_authorizer,(void*)pzErr,"Ticket-Report");
sqlite3_limit(g.db, SQLITE_LIMIT_VDBE_OP, 10000);
}
void report_unrestrict_sql(void){
db_clear_authorizer();
}
/*
** Check the given SQL to see if is a valid query that does not
** attempt to do anything dangerous. Return 0 on success and a
** pointer to an error message string (obtained from malloc) if
|
| ︙ | ︙ | |||
678 679 680 681 682 683 684 |
/* Do initialization
*/
if( pState->nCount==0 ){
/* Turn off the authorizer. It is no longer doing anything since the
** query has already been prepared.
*/
| | | 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 |
/* Do initialization
*/
if( pState->nCount==0 ){
/* Turn off the authorizer. It is no longer doing anything since the
** query has already been prepared.
*/
db_clear_authorizer();
/* Figure out the number of columns, the column that determines background
** color, and whether or not this row of data is represented by multiple
** rows in the table.
*/
pState->nCol = 0;
pState->isMultirow = 0;
|
| ︙ | ︙ |
Changes to src/tkt.c.
| ︙ | ︙ | |||
368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 |
int ticket_change(const char *zUuid){
const char *zConfig;
Th_FossilInit(TH_INIT_DEFAULT);
Th_Store("uuid", zUuid);
zConfig = ticket_change_code();
return Th_Eval(g.interp, 0, zConfig, -1);
}
/*
** Recreate the TICKET and TICKETCHNG tables.
*/
void ticket_create_table(int separateConnection){
char *zSql;
db_multi_exec(
"DROP TABLE IF EXISTS ticket;"
"DROP TABLE IF EXISTS ticketchng;"
);
zSql = ticket_table_schema();
if( separateConnection ){
if( db_transaction_nesting_depth() ) db_end_transaction(0);
db_init_database(g.zRepositoryName, zSql, 0);
}else{
db_multi_exec("%s", zSql/*safe-for-%s*/);
}
fossil_free(zSql);
}
/*
** Repopulate the TICKET and TICKETCHNG tables from scratch using all
** available ticket artifacts.
*/
| > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > | 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 |
int ticket_change(const char *zUuid){
const char *zConfig;
Th_FossilInit(TH_INIT_DEFAULT);
Th_Store("uuid", zUuid);
zConfig = ticket_change_code();
return Th_Eval(g.interp, 0, zConfig, -1);
}
/*
** An authorizer function for the SQL used to initialize the
** schema for the ticketing system. Only allow CREATE TABLE and
** CREATE INDEX for tables whose names begin with "ticket" and
** changes to tables whose names begin with "ticket".
*/
static int ticket_schema_auth(
void *pNErr,
int eCode,
const char *z0,
const char *z1,
const char *z2,
const char *z3
){
switch( eCode ){
case SQLITE_CREATE_TABLE: {
if( sqlite3_stricmp(z2,"main")!=0
&& sqlite3_stricmp(z2,"repository")!=0
){
goto ticket_schema_error;
}
if( sqlite3_strnicmp(z0,"ticket",6)!=0 ){
goto ticket_schema_error;
}
break;
}
case SQLITE_CREATE_INDEX: {
if( sqlite3_stricmp(z2,"main")!=0
&& sqlite3_stricmp(z2,"repository")!=0
){
goto ticket_schema_error;
}
if( sqlite3_strnicmp(z1,"ticket",6)!=0 ){
goto ticket_schema_error;
}
break;
}
case SQLITE_INSERT:
case SQLITE_UPDATE:
case SQLITE_DELETE: {
if( sqlite3_stricmp(z2,"main")!=0
&& sqlite3_stricmp(z2,"repository")!=0
){
goto ticket_schema_error;
}
if( sqlite3_strnicmp(z0,"ticket",6)!=0
&& sqlite3_strnicmp(z0,"sqlite_",7)!=0
){
goto ticket_schema_error;
}
break;
}
case SQLITE_REINDEX:
case SQLITE_TRANSACTION:
case SQLITE_READ: {
break;
}
default: {
goto ticket_schema_error;
}
}
return SQLITE_OK;
ticket_schema_error:
if( pNErr ) *(int*)pNErr = 1;
return SQLITE_DENY;
}
/*
** Recreate the TICKET and TICKETCHNG tables.
*/
void ticket_create_table(int separateConnection){
char *zSql;
db_multi_exec(
"DROP TABLE IF EXISTS ticket;"
"DROP TABLE IF EXISTS ticketchng;"
);
zSql = ticket_table_schema();
if( separateConnection ){
if( db_transaction_nesting_depth() ) db_end_transaction(0);
db_set_authorizer(ticket_schema_auth,0,"Ticket-Schema");
db_init_database(g.zRepositoryName, zSql, 0);
}else{
db_set_authorizer(ticket_schema_auth,0,"Ticket-Schema");
db_multi_exec("%s", zSql/*safe-for-%s*/);
}
db_clear_authorizer();
fossil_free(zSql);
}
/*
** Repopulate the TICKET and TICKETCHNG tables from scratch using all
** available ticket artifacts.
*/
|
| ︙ | ︙ |